One of the main barriers facing federal agencies moving to the cloud and modernizing IT systems is not security but culture, according to a top agency official.

Matt Goodrich, Federal Risk and Authorization Management Program (FedRAMP) manager at the General Services Administration, said at the Amazon Web Services Public Sector Summit Tuesday that many federal managers believe that their servers are only secure if they can see them and touch them.

“The federal government needs to get out of this culture, this ‘hugger‘ environment of thinking that if I can hug my server, then it’s secure,” Goodrich said.

He said the growing number of contractors who have gone through the FedRAMP process shows that cloud services can meet strict security requirements and do not require the government to build its own data centers.

Under the FedRAMP program, contractors that provide cloud computing services to agencies are required to meet strict security requirements and pass an independent, third-party review.

“The federal government needs to have a culture change,” he said.

Patrick Gallagher, director of NIST, said at the conference the nature of the IT transformation within government, including big data, mobility and cloud computing, was so powerful agencies were only beginning to see its effects.

But in order to realize its full potential agencies are going to have to adopt a culture of change, he said, and shed a culture of doing things a certain way because that’s how its always been done.

“It’s always harder to change an embedded culture than to create a new one,” Gallgaher said.